GetPolicyDocument
Generates an IAM policy document in JSON format.
This is a data source which can be used to construct a JSON representation of
an IAM policy document, for use with resources which expect policy documents,
such as the aws.iam.Policy resource.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const examplePolicyDocument = pulumi.output(aws.iam.getPolicyDocument({
statements: [
{
actions: [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
resources: ["arn:aws:s3:::*"],
sid: "1",
},
{
actions: ["s3:ListBucket"],
conditions: [{
test: "StringLike",
values: [
"",
"home/",
"home/&{aws:username}/",
],
variable: "s3:prefix",
}],
resources: [`arn:aws:s3:::${var_s3_bucket_name}`],
},
{
actions: ["s3:*"],
resources: [
`arn:aws:s3:::${var_s3_bucket_name}/home/&{aws:username}`,
`arn:aws:s3:::${var_s3_bucket_name}/home/&{aws:username}/*`,
],
},
],
}, { async: true }));
const examplePolicy = new aws.iam.Policy("example", {
path: "/",
policy: examplePolicyDocument.json,
});import pulumi
import pulumi_aws as aws
example_policy_document = aws.iam.get_policy_document(statements=[
{
"actions": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
"resources": ["arn:aws:s3:::*"],
"sid": "1",
},
{
"actions": ["s3:ListBucket"],
"conditions": [{
"test": "StringLike",
"values": [
"",
"home/",
"home/&{aws:username}/",
],
"variable": "s3:prefix",
}],
"resources": [f"arn:aws:s3:::{var['s3_bucket_name']}"],
},
{
"actions": ["s3:*"],
"resources": [
f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}",
f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}/*",
],
},
])
example_policy = aws.iam.Policy("examplePolicy",
path="/",
policy=example_policy_document.json)using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var examplePolicyDocument = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources =
{
"arn:aws:s3:::*",
},
Sid = "1",
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:ListBucket",
},
Conditions =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionArgs
{
Test = "StringLike",
Values =
{
"",
"home/",
"home/&{aws:username}/",
},
Variable = "s3:prefix",
},
},
Resources =
{
$"arn:aws:s3:::{@var.S3_bucket_name}",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}",
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}/*",
},
},
},
}));
var examplePolicy = new Aws.Iam.Policy("examplePolicy", new Aws.Iam.PolicyArgs
{
Path = "/",
Policy = examplePolicyDocument.Apply(examplePolicyDocument => examplePolicyDocument.Json),
});
}
}
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
examplePolicyDocument, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources: []string{
"arn:aws:s3:::*",
},
Sid: "1",
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:ListBucket",
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
iam.GetPolicyDocumentStatementCondition{
Test: "StringLike",
Values: []string{
"",
"home/",
"home/&{aws:username}/",
},
Variable: "s3:prefix",
},
},
Resources: []string{
fmt.Sprintf("%v%v", "arn:aws:s3:::", _var.S3_bucket_name),
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:*",
},
Resources: []string{
fmt.Sprintf("%v%v%v", "arn:aws:s3:::", _var.S3_bucket_name, "/home/&{aws:username}"),
fmt.Sprintf("%v%v%v", "arn:aws:s3:::", _var.S3_bucket_name, "/home/&{aws:username}/*"),
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "examplePolicy", &iam.PolicyArgs{
Path: pulumi.String("/"),
Policy: pulumi.String(examplePolicyDocument.Json),
})
if err != nil {
return err
}
return nil
})
}Using this data source to generate policy documents is optional. It is also
valid to use literal JSON strings within your configuration, or to use the
file interpolation function to read a raw JSON policy document from a file.
Context Variable Interpolation
The IAM policy document format allows context variables to be interpolated
into various strings within a statement. The native IAM policy document format
uses ${...}-style syntax that is in conflict with interpolation
syntax, so this data source instead uses &{...} syntax for interpolations that
should be processed by AWS rather than by this provider.
Wildcard Principal
In order to define wildcard principal (a.k.a. anonymous user) use type = "*" and
identifiers = ["*"]. In that case the rendered json will contain "Principal": "*".
Note, that even though the IAM Documentation
states that "Principal": "*" and "Principal": {"AWS": "*"} are equivalent,
those principals have different behavior for IAM Role Trust Policy. Therefore
this provider will normalize the principal field only in above-mentioned case and principals
like type = "AWS" and identifiers = ["*"] will be rendered as "Principal": {"AWS": "*"}.
Example with Source and Override
Showing how you can use source_json and override_json
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = pulumi.output(aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
actions: ["s3:*"],
resources: ["*"],
sid: "SidToOverwrite",
},
],
}, { async: true }));
const sourceJsonExample = source.apply(source => aws.iam.getPolicyDocument({
sourceJson: source.json,
statements: [{
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
sid: "SidToOverwrite",
}],
}, { async: true }));
const override = pulumi.output(aws.iam.getPolicyDocument({
statements: [{
actions: ["s3:*"],
resources: ["*"],
sid: "SidToOverwrite",
}],
}, { async: true }));
const overrideJsonExample = override.apply(override => aws.iam.getPolicyDocument({
overrideJson: override.json,
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
sid: "SidToOverwrite",
},
],
}, { async: true }));import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[
{
"actions": ["ec2:*"],
"resources": ["*"],
},
{
"actions": ["s3:*"],
"resources": ["*"],
"sid": "SidToOverwrite",
},
])
source_json_example = aws.iam.get_policy_document(source_json=source.json,
statements=[{
"actions": ["s3:*"],
"resources": [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
"sid": "SidToOverwrite",
}])
override = aws.iam.get_policy_document(statements=[{
"actions": ["s3:*"],
"resources": ["*"],
"sid": "SidToOverwrite",
}])
override_json_example = aws.iam.get_policy_document(override_json=override.json,
statements=[
{
"actions": ["ec2:*"],
"resources": ["*"],
},
{
"actions": ["s3:*"],
"resources": [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
"sid": "SidToOverwrite",
},
])using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
Sid = "SidToOverwrite",
},
},
}));
var sourceJsonExample = source.Apply(source => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
SourceJson = source.Json,
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
Sid = "SidToOverwrite",
},
},
})));
var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
Sid = "SidToOverwrite",
},
},
}));
var overrideJsonExample = @override.Apply(@override => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
OverrideJson = @override.Json,
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
Sid = "SidToOverwrite",
},
},
})));
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
Sid: "SidToOverwrite",
},
},
}, nil)
if err != nil {
return err
}
opt0 := source.Json
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourceJson: &opt0,
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:*",
},
Resources: []string{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
Sid: "SidToOverwrite",
},
},
}, nil)
if err != nil {
return err
}
override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
Sid: "SidToOverwrite",
},
},
}, nil)
if err != nil {
return err
}
opt1 := override.Json
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
OverrideJson: &opt1,
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:*",
},
Resources: []string{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
Sid: "SidToOverwrite",
},
},
}, nil)
if err != nil {
return err
}
return nil
})
}data.aws_iam_policy_document.source_json_example.json will evaluate to:
import * as pulumi from "@pulumi/pulumi";import pulumiusing Pulumi;
class MyStack : Stack
{
public MyStack()
{
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}data.aws_iam_policy_document.override_json_example.json will evaluate to:
import * as pulumi from "@pulumi/pulumi";import pulumiusing Pulumi;
class MyStack : Stack
{
public MyStack()
{
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}You can also combine source_json and override_json in the same document.
Example without Statement
Use without a statement:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = pulumi.output(aws.iam.getPolicyDocument({
statements: [{
actions: ["ec2:DescribeAccountAttributes"],
resources: ["*"],
sid: "OverridePlaceholder",
}],
}, { async: true }));
const override = pulumi.output(aws.iam.getPolicyDocument({
statements: [{
actions: ["s3:GetObject"],
resources: ["*"],
sid: "OverridePlaceholder",
}],
}, { async: true }));
const politik = pulumi.all([override, source]).apply(([override, source]) => aws.iam.getPolicyDocument({
overrideJson: override.json,
sourceJson: source.json,
}, { async: true }));import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[{
"actions": ["ec2:DescribeAccountAttributes"],
"resources": ["*"],
"sid": "OverridePlaceholder",
}])
override = aws.iam.get_policy_document(statements=[{
"actions": ["s3:GetObject"],
"resources": ["*"],
"sid": "OverridePlaceholder",
}])
politik = aws.iam.get_policy_document(override_json=override.json,
source_json=source.json)using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:DescribeAccountAttributes",
},
Resources =
{
"*",
},
Sid = "OverridePlaceholder",
},
},
}));
var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:GetObject",
},
Resources =
{
"*",
},
Sid = "OverridePlaceholder",
},
},
}));
var politik = Output.Tuple(@override, source).Apply(values =>
{
var @override = values.Item1;
var source = values.Item2;
return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
OverrideJson = @override.Json,
SourceJson = source.Json,
}));
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"ec2:DescribeAccountAttributes",
},
Resources: []string{
"*",
},
Sid: "OverridePlaceholder",
},
},
}, nil)
if err != nil {
return err
}
override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:GetObject",
},
Resources: []string{
"*",
},
Sid: "OverridePlaceholder",
},
},
}, nil)
if err != nil {
return err
}
opt0 := override.Json
opt1 := source.Json
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
OverrideJson: &opt0,
SourceJson: &opt1,
}, nil)
if err != nil {
return err
}
return nil
})
}data.aws_iam_policy_document.politik.json will evaluate to:
import * as pulumi from "@pulumi/pulumi";import pulumiusing Pulumi;
class MyStack : Stack
{
public MyStack()
{
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}Using GetPolicyDocument
function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>function get_policy_document(override_json=None, policy_id=None, source_json=None, statements=None, version=None, opts=None)func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)public static class GetPolicyDocument {
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
}The following arguments are supported:
- Override
Json string An IAM policy document to import and override the current policy document. Statements with non-blank
sids in the override document will overwrite statements with the samesidin the current document. Statements without ansidcannot be overwritten.- Policy
Id string An ID for the policy document.
- Source
Json string An IAM policy document to import as a base for the current policy document. Statements with non-blank
sids in the current policy document will overwrite statements with the samesidin the source json. Statements without ansidcannot be overwritten.- Statements
List<Get
Policy Document Statement Args> A nested configuration block (described below) configuring one statement to be included in the policy document.
- Version string
IAM policy document version. Valid values:
2008-10-17,2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- Override
Json string An IAM policy document to import and override the current policy document. Statements with non-blank
sids in the override document will overwrite statements with the samesidin the current document. Statements without ansidcannot be overwritten.- Policy
Id string An ID for the policy document.
- Source
Json string An IAM policy document to import as a base for the current policy document. Statements with non-blank
sids in the current policy document will overwrite statements with the samesidin the source json. Statements without ansidcannot be overwritten.- Statements
[]Get
Policy Document Statement A nested configuration block (described below) configuring one statement to be included in the policy document.
- Version string
IAM policy document version. Valid values:
2008-10-17,2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override
Json string An IAM policy document to import and override the current policy document. Statements with non-blank
sids in the override document will overwrite statements with the samesidin the current document. Statements without ansidcannot be overwritten.- policy
Id string An ID for the policy document.
- source
Json string An IAM policy document to import as a base for the current policy document. Statements with non-blank
sids in the current policy document will overwrite statements with the samesidin the source json. Statements without ansidcannot be overwritten.- statements
Get
Policy Document Statement[] A nested configuration block (described below) configuring one statement to be included in the policy document.
- version string
IAM policy document version. Valid values:
2008-10-17,2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override_
json str An IAM policy document to import and override the current policy document. Statements with non-blank
sids in the override document will overwrite statements with the samesidin the current document. Statements without ansidcannot be overwritten.- policy_
id str An ID for the policy document.
- source_
json str An IAM policy document to import as a base for the current policy document. Statements with non-blank
sids in the current policy document will overwrite statements with the samesidin the source json. Statements without ansidcannot be overwritten.- statements
List[Get
Policy Document Statement] A nested configuration block (described below) configuring one statement to be included in the policy document.
- version str
IAM policy document version. Valid values:
2008-10-17,2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
GetPolicyDocument Result
The following output properties are available:
- Id string
The provider-assigned unique ID for this managed resource.
- Json string
The above arguments serialized as a standard JSON policy document.
- Override
Json string - Policy
Id string - Source
Json string - Statements
List<Get
Policy Document Statement> - Version string
- Id string
The provider-assigned unique ID for this managed resource.
- Json string
The above arguments serialized as a standard JSON policy document.
- Override
Json string - Policy
Id string - Source
Json string - Statements
[]Get
Policy Document Statement - Version string
- id string
The provider-assigned unique ID for this managed resource.
- json string
The above arguments serialized as a standard JSON policy document.
- override
Json string - policy
Id string - source
Json string - statements
Get
Policy Document Statement[] - version string
- id str
The provider-assigned unique ID for this managed resource.
- json str
The above arguments serialized as a standard JSON policy document.
- override_
json str - policy_
id str - source_
json str - statements
List[Get
Policy Document Statement] - version str
Supporting Types
GetPolicyDocumentStatement
- Actions List<string>
A list of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"].- Conditions
List<Get
Policy Document Statement Condition Args> A nested configuration block (described below) that defines a further, possibly-service-specific condition that constrains whether this statement applies.
- Effect string
Either “Allow” or “Deny”, to specify whether this statement allows or denies the given actions. The default is “Allow”.
- Not
Actions List<string> A list of actions that this statement does not apply to. Used to apply a policy statement to all actions except those listed.
- Not
Principals List<GetPolicy Document Statement Not Principal Args> Like
principalsexcept gives resources that the statement does not apply to.- Not
Resources List<string> A list of resource ARNs that this statement does not apply to. Used to apply a policy statement to all resources except those listed.
- Principals
List<Get
Policy Document Statement Principal Args> A nested configuration block (described below) specifying a resource (or resource pattern) to which this statement applies.
- Resources List<string>
A list of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
- Sid string
An ID for the policy statement.
- Actions []string
A list of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"].- Conditions
[]Get
Policy Document Statement Condition A nested configuration block (described below) that defines a further, possibly-service-specific condition that constrains whether this statement applies.
- Effect string
Either “Allow” or “Deny”, to specify whether this statement allows or denies the given actions. The default is “Allow”.
- Not
Actions []string A list of actions that this statement does not apply to. Used to apply a policy statement to all actions except those listed.
- Not
Principals []GetPolicy Document Statement Not Principal Like
principalsexcept gives resources that the statement does not apply to.- Not
Resources []string A list of resource ARNs that this statement does not apply to. Used to apply a policy statement to all resources except those listed.
- Principals
[]Get
Policy Document Statement Principal A nested configuration block (described below) specifying a resource (or resource pattern) to which this statement applies.
- Resources []string
A list of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
- Sid string
An ID for the policy statement.
- actions string[]
A list of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"].- conditions
Get
Policy Document Statement Condition[] A nested configuration block (described below) that defines a further, possibly-service-specific condition that constrains whether this statement applies.
- effect string
Either “Allow” or “Deny”, to specify whether this statement allows or denies the given actions. The default is “Allow”.
- not
Actions string[] A list of actions that this statement does not apply to. Used to apply a policy statement to all actions except those listed.
- not
Principals GetPolicy Document Statement Not Principal[] Like
principalsexcept gives resources that the statement does not apply to.- not
Resources string[] A list of resource ARNs that this statement does not apply to. Used to apply a policy statement to all resources except those listed.
- principals
Get
Policy Document Statement Principal[] A nested configuration block (described below) specifying a resource (or resource pattern) to which this statement applies.
- resources string[]
A list of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
- sid string
An ID for the policy statement.
- actions List[str]
A list of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"].- conditions
List[Get
Policy Document Statement Condition] A nested configuration block (described below) that defines a further, possibly-service-specific condition that constrains whether this statement applies.
- effect str
Either “Allow” or “Deny”, to specify whether this statement allows or denies the given actions. The default is “Allow”.
- not
Actions List[str] A list of actions that this statement does not apply to. Used to apply a policy statement to all actions except those listed.
- not
Principals List[GetPolicy Document Statement Not Principal] Like
principalsexcept gives resources that the statement does not apply to.- not
Resources List[str] A list of resource ARNs that this statement does not apply to. Used to apply a policy statement to all resources except those listed.
- principals
List[Get
Policy Document Statement Principal] A nested configuration block (described below) specifying a resource (or resource pattern) to which this statement applies.
- resources List[str]
A list of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
- sid str
An ID for the policy statement.
GetPolicyDocumentStatementCondition
- Test string
The name of the IAM condition operator to evaluate.
- Values List<string>
The values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. (That is, the tests are combined with the “OR” boolean operation.)
- Variable string
The name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:, or service-specific variables prefixed with the service name.
- Test string
The name of the IAM condition operator to evaluate.
- Values []string
The values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. (That is, the tests are combined with the “OR” boolean operation.)
- Variable string
The name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:, or service-specific variables prefixed with the service name.
- test string
The name of the IAM condition operator to evaluate.
- values string[]
The values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. (That is, the tests are combined with the “OR” boolean operation.)
- variable string
The name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:, or service-specific variables prefixed with the service name.
- test str
The name of the IAM condition operator to evaluate.
- values List[str]
The values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. (That is, the tests are combined with the “OR” boolean operation.)
- variable str
The name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:, or service-specific variables prefixed with the service name.
GetPolicyDocumentStatementNotPrincipal
- Identifiers List<string>
List of identifiers for principals. When
typeis “AWS”, these are IAM user or role ARNs. Whentypeis “Service”, these are AWS Service roles e.g.lambda.amazonaws.com. Whentypeis “Federated”, these are web identity users or SAML provider ARNs.- Type string
The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
- Identifiers []string
List of identifiers for principals. When
typeis “AWS”, these are IAM user or role ARNs. Whentypeis “Service”, these are AWS Service roles e.g.lambda.amazonaws.com. Whentypeis “Federated”, these are web identity users or SAML provider ARNs.- Type string
The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
- identifiers string[]
List of identifiers for principals. When
typeis “AWS”, these are IAM user or role ARNs. Whentypeis “Service”, these are AWS Service roles e.g.lambda.amazonaws.com. Whentypeis “Federated”, these are web identity users or SAML provider ARNs.- type string
The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
- identifiers List[str]
List of identifiers for principals. When
typeis “AWS”, these are IAM user or role ARNs. Whentypeis “Service”, these are AWS Service roles e.g.lambda.amazonaws.com. Whentypeis “Federated”, these are web identity users or SAML provider ARNs.- type str
The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
GetPolicyDocumentStatementPrincipal
- Identifiers List<string>
List of identifiers for principals. When
typeis “AWS”, these are IAM user or role ARNs. Whentypeis “Service”, these are AWS Service roles e.g.lambda.amazonaws.com. Whentypeis “Federated”, these are web identity users or SAML provider ARNs.- Type string
The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
- Identifiers []string
List of identifiers for principals. When
typeis “AWS”, these are IAM user or role ARNs. Whentypeis “Service”, these are AWS Service roles e.g.lambda.amazonaws.com. Whentypeis “Federated”, these are web identity users or SAML provider ARNs.- Type string
The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
- identifiers string[]
List of identifiers for principals. When
typeis “AWS”, these are IAM user or role ARNs. Whentypeis “Service”, these are AWS Service roles e.g.lambda.amazonaws.com. Whentypeis “Federated”, these are web identity users or SAML provider ARNs.- type string
The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
- identifiers List[str]
List of identifiers for principals. When
typeis “AWS”, these are IAM user or role ARNs. Whentypeis “Service”, these are AWS Service roles e.g.lambda.amazonaws.com. Whentypeis “Federated”, these are web identity users or SAML provider ARNs.- type str
The type of principal. For AWS ARNs this is “AWS”. For AWS services (e.g. Lambda), this is “Service”. For Federated access the type is “Federated”.
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.